need some help on finding memory stuff and check my current offsets

**freitag** · 11-02-2009

ok m8's we got a problem....maybe someone can help us finding this:

object table (moveable)

I can't manage to update the old adress as the last patch changed pretty much.
what I've tryed: search for already known values like name, health, x,y,z no results that would lead me to the object table.

maybe someone could provide us the right offset, but i prefer a way how to find this.

**mosimo** · 11-02-2009

Struggling with this too. I can get from within an object to the first object in the table. But going from there backwards I'm a little stuck. I keep following routes but get nowhere. If anyone could give us a little help on how to actually find the offsets it would be handy.

**freitag** · 11-03-2009

ok mosimo and i are able to track this down to the base (first object?)
We don't know wether this is the right way but...no idea ^^

what happens:
we got an adress that points to the base of each object in the list (changing all the time)
so with adress + 0x360 we get for example the name

the problem now is that we can't get it this to work like
(adress + objectnumber*4-4)+0x360
i mean that what we got already is all the time a different object->object 1 ->object 10 -> object xx, and not for example (adress + 1*4-4)+0x360 (<- this would be object 1 -> name)
looking for what accesse "adress" doesn't give any usefull result :/

---
I hope you understand what I've written but my english isn't that well that i could keep this short and understandable, maybe mosimo could translate this :P

**mosimo** · 11-03-2009

Hehe, yea basically we can do this:
search for a name
check if there is a valid float value at -0x1DC if there is then we are in a game object. -0x184 from the float value and you get the start of that game object. set some breakpoints on the first address that access that address and you can see one number looping through. when that is at it's lowerst we're at the first object (call that baseID)
so now we can do:

int[] gameObject = new gameObject[];
for(int i=0; i < 50; i++)
{
gameObject[i] = memory.readInt(baseID+(i*4));
}

Bit of random code but that will fill an array with the start address of the first 50 game objects. So from that we can get all the info for the moveable objects, names, x,y,z etc. by doing:

float x = memory.readFloat(gameObject[4] + 0x184); // to get the x pos of the 5th object

The problem is that baseID is the one we cannot find the original static pointer for. I can trace it one pointer back to get 2 paths one is something+0x25c and another is something+0x4 which gives baseID. but going back one more than that I get stuck. Then I zone and all the memory locations change.

So yea. Any help going further than this to actually get the static pointer would be handy. Me and Freitag will kep trying though

**defthack** · 11-09-2009

I never really had a good system for finding the static pointer for the game objects array. I always used a brute force method for finding the static pointer once I had the list of game objects. In cheat engine there is a function called "pointer scan for this address" that would take about 30 mins to scan for all possible paths from a static pointer to the starting address of the game objects array. After finding thousands of possible addresses I would save the list as a Cheat Table XML file so that I could add the extra memory offsets to point to the name of the first object in the list then restart Age of Conan and see which ones still pointed to correct values.

EDIT:Failure! The 14 day trial account from http://www.mmowned.com/forums/age-co...-required.html is an EU account and I have the US client so it won't let me login to the account.

EDIT2:The EU and US clients are the same its just a configuration file that changes the login server but I get the error "Your account has not been verified." when I try to login. Perhaps it will work tomorrow.

**freitag** · 11-09-2009

HI DEFTHACK!!

Thx that you take a look.

If you do this "pointer scan for this address" how many pointer (i think this is the max level and what's the size of the struct?) do you search 1 or 2 level?

the old one was like base +4 +what i want to read
so 2 level?

I'm so desperated -_-

hope to hear from you soon!

**mosimo** · 11-10-2009

Heh, defthack that is long way round :P

I managed to get a working radar and everything now. But I didn't do it using the static pointers. Way I did it was injecting a codecave into aoc. found the static function in aoc that sets the final pointer for the object table then I saved that to a static location. Read that in my program and it works.

**freitag** · 11-15-2009

Current offsets:

Player Table: 0x0219d938
x: +124
y: +12c
z: +128
rotation1: +178
rotation2: +180
rotation3: +194
rotation4: +19c
speed walking back: +200
speed walking forward: +1f4
speed walking strafe: +208
speed running back: +204
speed running forward: +1f8
speed running strafe: +20c
speed sprinting: 1fc
max endu: +120 +57c
max health: +120 +56c
max mana: +120 +570
current endu: +120 +578
current health: +120 +4a0
current mana: +120 +574

Object Table:
(I got two adresses)

02FF7AE0 +objectnumber*4 -4 +Value you are looking for eg 184 for X

3000e60 +objectnumber*4 -4 +Value you are looking for eg 184 for X

**Sychotix** · 11-15-2009

Guessing nobody is updating my old address for fly-hacking =P If anyone wants to find it... put a breakpoint on your z coord. Eliminate those that are called when going up, and then find the address that is called when you are ONLY falling. There should be a jump around this function that will allow you to continually fall, and control your direction of movement... and your z coord can be edited to allow you to go higher and higher.

**freitag** · 11-18-2009

hmmm sounds nice sychotix maybe i give it a try next days.

btw after todays patch it seems that nearly the whole struct changed -_-
so far i got the player stuff but now i need to analyse the object struct to get the new offset

(((((( damn m8s and i was so happy i finaly got the right object offset -_-

In polish i would say: KURWA!!!!!!!!!!!!!!!

never mind.